Thanks for clarifying.
On Tue, Dec 30, 2014 at 5:55 AM, Kurt Roeckx wrote:
> On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
>> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
>> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
>> no-ssl3 app
On Mon, Dec 29, 2014 at 10:37:49AM -0700, Zeke Evans wrote:
> Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
> still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
> no-ssl3 application scenario is just one way to exploit this and that
> the ssl23_get_client_
Is an OpenSSL 1.0.1j build that does not use the no-ssl3 build option
still vulnerable to CVE-2014-3569? It seems the SSLv3 handshake to a
no-ssl3 application scenario is just one way to exploit this and that
the ssl23_get_client_hello function causes this issue for any
unsupported or unrecognized
